Fms India 2011 Bcm


Published on

Business Continuity for Real Estate & Facilities professional.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Fms India 2011 Bcm

  1. 1. FMS India 2011BC Management process and regulatory frameworkSumeet Sharma© 2010 Colt Technology Services Group Limited. All rights reserved.
  2. 2. Agenda 1 Colt 2 Business Continuity Management and Regulation 3 Key elements of Risk, Response and Recovery planning 4 Identifying and evaluating asset risks for Business Continuity 5 Business Continuity Strategies 6 Questions and Answers.2
  3. 3. About Colt 1 1© 2010 Colt Technology Services Group Limited. All rights reserved.
  4. 4. Business ContinuityManagement andRegulation 2© 2010 Colt Technology Services Group Limited. All rights reserved.
  5. 5. Legislation and Regulations in India•Information Technology Act as amended by Act of 2008•The Information Technology (Amendment) Bill, 2006•.IN Domain Name Registration Policy•Semiconductor Integrated Circuits Layout-Design Rules, 2001•Semiconductor Integrated Circuits Layout Design Act 2000•Rules for Information Technology Act 2000•.IN Domain Name Dispute Resolution Policy•Gujarat Information technology Rules, 2004•Karnataka Cyber Cafe Regulations•Information Technology Act, 2000•India BCP (1. Reserve Bank of India (RBI); 2. Securities & Exchange Board of India(SEBI); 3. National Stock Exchange (NSE); 4. Bombay Stock Exchange (BSE))5
  6. 6. Legislation and Regulations International•European Union Data Protection Directive of 1998•EU Internet Privacy Law of 2002 (DIRECTIVE 2002/58/EC)•MAS Business Continuity Management Guidelines (June 2003) (MAS (Monetaryauthority of Singapore)•Guidance Note GGN 232.1 Risk Assessment and Business Continuity Management(APRA) Australia•Sarbanes-Oxley Act of 2002 (PL 107-204 2002 HR 3763) – Section 404 (PCAOB (PublicCompany Accounting Oversight Board)) US•HIPAA (Health Insurance Portability and Accountability Act) Final Security Rule #7.Contingency Plan (164.308 (a) (7) (i) (GAO) US•Interagency Paper for Strengthening the Resilience of US Financial System•STO BR IBBS-1.0-2010 (Central Bank of the Russian Federation (STO BR IBBS-1.0-2006))•The Civil Defence & Emergency Management Act (2002 New Zealand)•Manual for the Development of Contingency Plans in Financial Institutions. Japan FSA(FISC (The Centre for Financial Industry Information System)) Japan6
  7. 7. Management standardsInternational Organization for Standardization•ISO/IEC 27001:2005 (formerly BS 7799-2:2002) ISMS•ISO/IEC 27002:2005 (remunerated ISO17999:2005) Information Security Management –Code of Practice•ISO/IEC 22399:2007 Guideline for incident preparedness and operational continuitymanagement•ISO/IEC 24762:2008 Guidelines for information and communications technology disasterrecovery services•IWA 5:2006 Emergency PreparednessBritish Standards Institution•BS 25999-1:2006 Business Continuity Management Part 1: Code of practice•BS 25999-2:2007 Business Continuity Management Part 2: Specification•BS 25777:2008 Information and communications technology continuity management –Code of practice7
  8. 8. Key Elements of RiskResponse and Recoveryplanning 3© 2010 Colt Technology Services Group Limited. All rights reserved.
  9. 9. Risk: is the potential that a chosenaction or inaction will lead to aloss. implies that a choice ishaving an influence on theoutcome .Potential losses themselvesmay also be called "risks".Almost any human endeavourcarries some risk.Risk management is the identification, assessment, and prioritization of risks followed bycoordinated and economical application of resources to minimize, monitor, and control theprobability and/or impact of unfortunate events or to maximize the realization ofopportunities (defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative) 9
  10. 10. Response and RecoveryRisk assessment process:•is a step in a risk management procedure.•Risk assessment is the determination of quantitative or qualitative value of risk.•Defines relation to a concrete situation and a recognized threat.•Methods for assessment of risk may differ between industries•potential loss and probability of occurrence - can be very difficult to measure•Financial decisions, such as insurance, express risk in money values.•health and environmental decisions, loss is simply a verbal description of the outcome•IT risk assessment can be performed by a qualitative or quantitative approach•Quantitative risk assessment ( Annualised Loss Expectancy = Single Loss Expectancy XAnnual Rate of Occurrence)•Qualitative risk assessment (Critical Information= Confidentiality + Integrity + Availability)10
  11. 11. Identifying and evaluatingasset risks for businesscontinuity 4112010 Colt Technology Services Group Limited. All rights reserved.©
  12. 12. Identifying AssetsPrimary Assets• Cash and its flow•Business process and Business Activities•InformationSupporting Assets•Site•Hardware•Soft ware•People•Network•Organisation12
  13. 13. Evaluating Assets1. Net Asset Value• Confidentiality• Integrity• Availability2. Existing Controls3. Risk level (Value)•Threat Level• Veurnablity Level4. Management Decision5. Mitigation Controls6. Residual Risk level (Value)7. Final Management decision and sign off.13
  14. 14. Business ContinuityStrategy 5© 2010 Colt Technology Services Group Limited. All rights reserved.© 2010 Colt Technology Services Group Limited. All rights reserved.
  15. 15. Relation between Risk Management and BCP•Risk management process creates important inputsfor the BCP.•Examples: assets, impact assessments, cost estimatesetc.• Risk management also proposes applicable controlsfor the observed risks.• Therefore, risk management covers several areas thatare vital for the BCP process.•However, the BCP process goes beyond riskmanagements pre-emptive approach• Assumes that the disaster will happen at some point.15
  16. 16. Strategy Risk Management and BCP strategy: •Avoidance (eliminate, withdraw from or not become involved) •Reduction (optimize - mitigate) •Sharing (transfer - outsource or insure) •Retention (accept and budget) All risks can never be fully avoided or mitigated simply because of financial and practical limitations. Therefore all organizations have to accept some level of residual risks and create a business continuity plan.16
  17. 17. Case study : ColtPriority 1 incident can End User Priority 3 incident canbe defined as a major be defined as andisaster at the facility IT Service Desk incident, which maycausing failure of Non-IT IT disrupt a single oroperations for more Incident Incident multiple processes forthan a week. P3 Incident a short period ofProbable cause for Yes Network & Local IT No IT Incident 4hours to 1 day Incident Manager/BCP Team ManagementIncident Incident TeamEarthquake ,Environmental P3 Damage Assessment Team (Corp. Security, BCP , Probable cause forDisasters, Hurricane, , RE& Facilities , Local IT, HR IncidentFlood, Terrorism etc Inciident Classification Incident Electrical power failure Incident Incident P3 Contained Contained Response Team CommunicationsPriority 2 incident can P1/P2 services breakdownbe defined as an Country Crisis Management Team / BCMS Forum P1 Incident Contained IT systems failureincident, which maydisrupt some or all P2 Unavailability of Staff / Staff shortage etc.process beyond 1 day Activate BCP P2 Group Crisesbut less than a week. Management Team Instructions &Probable cause for Yes Updates / Status/Incident BCP Team (BC Champ & Activate BCP & DR Prolonged Plans Outage? Business Recovery Team)IT systems failureCommunicationsservices breakdown Incident No P1 Contained P1 IncidentOrganised and or P2 IncidentDeliberate Disruption 17
  18. 18. Case study : ColtAlternate Workplace: Colt’s strategy for recovery of premises is based on Split Operations,wherein the operations are split in the ratio of 70:30 e.g. 2 Geographically separated and culturallydifferent sites in India, and a similar locally suitable setup in Barcelona. There are differentrecovery options which have been implemented at Colt as Backup and Recovery Strategies.Hot site: A Hot site is a recovery site that has the equipment, systems and support resources toduplicate/replicate Colt’s business functions affected by any occurrence of an event or disaster.Hot-sites at Colt are generally fully equipped and kept operationally ready. Colt has most of theData Centres which meets the requirement of a hot site.Warm site: Colt’s alternate recovery site which is only partially equipped and can be readied foroperations only as and when required and can be scaled in the same manner as a hot site as perrecovery time objectives (RTO) for systems, functions and processes. Colt has identified premiseswhich can meet the requirements of a Warm Site as it has connectivity and other basicinfrastructure. They also have SLA and contracts with IT and other suppliers and vendors to meetthe operational requirements.Dual Processing: Colt has dual processing facility where Business processes across twolocations have been divided (50: 50 or 70: 30 ratio); with live operational infrastructure at bothlocations. This enables redundancy of any single (critical) business process delivery acrossmultiple locations. This gives the effect of having a secondary site which is like a hot site havingsome percentage operational capability (and visa versa). If effectively done this will meet the Colt’sminimum recovery time objective to the minimum required emergency service 18
  19. 19. Questions & AnswersThank you for your time and patienceFeedback : sumeet.sharma@colt.net192010 Colt Telecom Group Limited. All rights reserved.©